Why to use Identity NAT for VPNs in ASA 8.3 and above?

Question: Why do we use Identity NAT for VPN traffic if NAT isn’t a mandatory requirement in ASA 8.3 and above?

Answer: If your VPNs are terminated on the outside interface and you have a Dynamic PAT being used on that interface then all traffic going in the direction of the Dynamic PAT (eg: inside to outside) will be matched against it and be translated as per the Dynamic PAT rule. This is why you have to define Identity NATs so that the VPN traffic is differentiated from normal traffic and is matched before the Dynamic PAT.

So to sum it up;

1. If you have a Dynamic PAT or any other form of NAT that shadows your VPN traffic then you need to define the Identity NAT statements and make sure they are at the top of the Unified NAT table.

2. And if you have a Dynamic PAT or any other form of NAT that does not shadow your VPN traffic at all, then you need not define any NAT statements.

The direction of the NAT is important. Continue reading